Deploy a PKI on Windows Server 2016 (Part 2)

This is the second part of a seven-part series explaining and setting up a two-tier PKI with Windows Server 2016 in an enterprise SMB setting.

Part 1 (Informational)
>>> Part 2 (Getting Started & IIS Web Server Configuration) <<<
Part 3 (Standalone Offline Root CA Configuration)
Part 4 (Enterprise CA Configuration)
Part 5 (Distributing Certificates & AutoEnrollment)
Part 6 (Additional Configuration)
Part 7 (Troubleshooting & Clean-up)

To help with the layout and navigation of these longer pages, use the Table of Contents below:

Preface

In part 2, we will begin by setting up the three servers needed to run the PKI.  I will assume that you already have a hypervisor running Hyper-V, VMWare, KVM, etc., and already have three fresh Windows Server 2016 servers up and running.

In my examples, I will be using a test domain named “bedrock.domain”.  Obviously, there is no way to use bedrock.domain or even bedrock.com publicly, but I will use the appropriate public facing URLs as it should be done in a real production environment.  All you need to do, is replace “bedrock.domain” and “bedrock.com” with your own appropriately.  There should be no issues provided you have DNS set up correctly both on-prem and publicly.

There are additional steps to take and additional configurations we must perform on the IIS server (WebServ1), but we can’t do these until the RootCA and EnterpriseCA are set up and configured.

Basic Server Setup

Set up the following servers.  You can use your own naming scheme, replace everywhere appropriately:

  1. Server 1 (this will be the Standalone Offline Root CA)
    1. Name:  RootCA
    2. Domain:  Do NOT join to domain.
  2. Server 2 (this will be the Enterprise CA (or issuing / subordinate CA))
    1. Name:  issuingCA
    2. Domain:  bedrock.domain (join this server to your domain)
  3. Server 3 (this will be the IIS server)
    1. Name:  WebServ1
    2. Domain:  bedrock.domain (join this server to your domain)
    3. Drives:  (C: OS Drive) and (D: Data Drive).  The D: drive is where we’ll create the “pki” share.

Web Server Setup (WebServ1)

First we need to get the IIS server (WebServ1) ready, so that when we configure the Root CA and Enterprise CA, there are no issues or delays.  I’m assuming you have already named it appropriately, joined the domain, set up another virtual disk – added it as the (D:) drive, and formatted it as an NTFS volume.

Install IIS

IIS needs to be installed if you haven’t done so already.  The defaults will do fine:

  1. On WebServ1, in Server Manager, click Add roles and features.
  2. On the Server Roles page, select Web Server (IIS), in the pop-up, click the Add Features button, then click Next.
  3. Click next until the end, then click Install.

Create Share

We need to create a share that will be the main CRL Distribution Point and AIA publication spot.  The idea here, is that the CRL and AIA url’s on all certificates will point here from the internet.  So this means we’ll soon need to add the appropriate DNS records internally to point here in an external manner.  I’ll explain that later.  If this place isn’t accessible externally or publicly, you can still copy the CRL and AIA files to the web server location that is accessible publicly.  More on this later as well.

  1. On WebServ1, create a folder on the D: drive named “pki”.  The path should be:  D:\pki
  2. Open Computer Management (compmgmt.msc).
  3. Under “Shared Folders”, right-click Shares and select “New Share“.  Click Next.
    1. Browse to the pki folder you created, then click Next.

    2. Leave the share name as pki, and change the offline setting to: “No files or programs from the shared folder are available offline”.  Click next.

    3. Click Customize permissions.
      1. On the “Share Permissions” tab, addCert Publishers” and allow “change” permissions.

      2. On the “Security” tab, click the Edit button and Add “Cert Publishers”.  Check “Modify” permissions.

    4. Click OK, then click Finish out of both windows.
  4. You should now have a share named “pki” with a folder path of “D:\pki”, and the “Cert Publishers” group should have change share permissions and modify ntfs permissions.

  5. Go ahead and create a blank index.html file in the D:\pki\index.html directory.
  6. Also create a blank cps.html file in D:\pki\cps.html directory.

Create IIS Virtual Directory

Now we need to create the “pki” virtual directory in IIS.  This will point the D:\pki folder to http://WebServ1.bedrock.domain/pki.

  1. On WebServ1, in IIS Manager, right-click on “Default Web Site” and select “Add Virtual Directory“.
    1. Type pki as the “Alias:“, and D:\pki as “Physical path:“.  Then click OK.

  2. Click to select pki on the left under Default Web Site, then double-click “Directory Browsing” on the right.
    1. On the right, click “Enable” to enable Directory Browsing.

Enable Double Escaping

Because Delta CRL files have a plus symbol after them, we need to enable Double Escaping on the IIS server so that requests for the Delta CRLs are not blocked.

*Note:*  This may now be enabled by default.

  1. On WebServ1, in IIS Manager, click the pki virtual directory, then double-click Request Filtering.
    1. In the actions pane, click Edit Feature Settings.
    2. Select the Allow double escaping check box, then click OK.

  2. Alternatively, you may use the below method:
    1. Open up a command prompt, then change directory to:  %windir%\system32\inetsrv\
    2. Then type the following:  Appcmd set config “Default Web Site” /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True

Create CNAME

You should create a “pki CNAME on your DNS server pointing to your web server (WebServ1).  This will allow you to use http://pki.bedrock.domain/pki and get you to that pki folder you created.  You should also do this on any external or public DNS as well.  If you have a domain that isn’t public, such as bedrock.domain, you would add this DNS record in your bedrock.com forward lookup zone.  You can create a CNAME DNS record pointing to any server.  In this case, you will create a CNAME named “pki” that points to your IIS server.

  1. On your DNS server, Open up DNS Management, and browse to your bedrock.domain forward lookup zone.
    1. Right-click on your version of bedrock.domain forward lookup zone, then click New Alias (CNAME).
    2. In the New Resource Record window, type pki in the “Alias name” field, and then type webserv1.bedrock.domain. in the “Fully qualified…” field.  You need to include the trailing period.  Then click OK.

  2. If you have a bedrock.com forward lookup zone, do the same thing there.

Additional Configuration

There are still some more configurations to be done on this web server, but we can’t do those until the RootCA and EnterpriseCA are set up and configured.  For example, we can’t set up “CertSrv” on here yet, because that requires an Enterprise (subordinate issuing) CA.

These things will be configured in later parts of this series.

Leave a Reply

Your email address will not be published. Required fields are marked *